Software Signing Certificate Reputation Model

1. A computer-implemented method for using a computer system of a certificate authority to digitally sign software, the method comprising: receiving a request from a software developer to digitally sign software included in the request; accessing a security policy associated with the software developer, the security policy describing criteria for valid requests by the software developer; determining whether the request is valid based at least in part on whether one or more of the criteria for valid requests is met; using the computer system to digitally sign the software responsive to the determination indicating that the request is valid; embedding reputation information associated with the digitally-signed software in a digital certificate, the reputation information indicative of which of the one or more criteria for valid requests that were met in the determination of whether the request is valid, the one or more criteria for valid requests comprising geo-locations from which valid requests are issued by the software developer; and providing the digitally-signed software and the digital certificate to the software developer.

2. The computer-implemented method of claim 1 , wherein receiving the request from the software developer comprises: receiving a request to digitally co-sign software that is already digitally signed by the software developer.

3. The computer-implemented method of claim 1 , wherein determining whether the request is valid comprises: identifying conditions in which the request is received from the software developer; comparing the identified conditions to the criteria for valid requests described by the security policy of the software developer; determining whether the identified conditions of the request match the criteria for valid requests described by the security policy based on the comparison; responsive to the identified conditions of the request matching the criteria for the valid requests, determining that the request is valid and digitally signing the software; and responsive to the identified conditions of the request not matching the criteria for the valid requests, determining that the request is anomalous.

4. The computer-implemented method of claim 3 , further comprising: performing a security action responsive to determining that the request is anomalous, wherein the security action comprises denying the request.

5. The computer-implemented method of claim 3 , further comprising: performing a security action responsive to determining that the request is anomalous, wherein the security action comprises contacting the software developer to confirm that the request is valid; and wherein the confirmation comprises receiving a security credential from the software developer.

6. The computer-implemented method of claim 1 , further comprising: responsive to receiving the request, contacting a stakeholder associated with the software developer to verify that the request is valid; and refraining from processing the request until a security credential from the stakeholder is received verifying that the request is valid.

7. The computer-implemented method of claim 2 , further comprising: responsive to receiving the request to digitally co-sign the software, contacting a certificate authority to verify whether usage of a signing key by the software developer to digitally sign the software is expected, the signing key provided by the certificate authority; and responsive to determining that the usage of the signing key is unexpected, determining that the signing key is stolen.

8. The computer-implemented method of claim 1 , wherein the criteria for valid requests by the software developer further comprise at least one of a specific machine identifier that submits valid requests, identifiers of personnel associated with the software developer that issue valid requests, and a time period in which the software developer may issue valid requests.

9. A computer program product comprising a non-transitory computer-readable storage medium storing computer-executable code, the code when executed by a computer processor performs steps comprising: receiving a request from a software developer to digitally sign software included in the request; accessing a security policy associated with the software developer, the security policy describing criteria for valid requests by the software developer; determining whether the request is valid based at least in part on whether one or more of the criteria for valid requests is met; digitally signing the software responsive to the determination indicating that the request is valid; embedding reputation information associated with the digitally-signed software in a digital certificate, the reputation information indicative of which of the one or more criteria for valid requests that were met in the determination of whether the request is valid, the one or more criteria for valid requests comprising geo-locations from which valid requests are issued by the software developer; and providing the digitally-signed software and the digital certificate to the software developer.

10. The computer program product of claim 9 , wherein the code when executed by the processor further performs steps comprising: identifying conditions in which the request is received from the software developer; comparing the identified conditions to the criteria for valid requests described by the security policy of the software developer; determining whether the identified conditions of the request match the criteria for valid requests described by the security policy based on the comparison; responsive to the identified conditions of the request matching the criteria for the valid requests, determining that the request is valid and digitally signing the software; and responsive to the identified conditions of the request not matching the criteria for the valid requests, determining that the request is anomalous.

11. The computer program product of claim 10 , wherein the code when executed by the processor further performs steps comprising: performing a security action responsive to determining that the request is anomalous, wherein the security action comprises denying the request.

12. The computer program product of claim 10 , wherein the code when executed by the processor further performs steps comprising: performing a security action responsive to determining that the request is anomalous, wherein the security action comprises contacting the software developer to confirm that the request is valid; and wherein the confirmation comprises receiving a security credential from the software developer.

13. The computer program product of claim 9 , wherein the code when executed by the processor further performs steps comprising: responsive to receiving the request, contacting a stakeholder associated with the software developer to verify that the request is valid; and refraining from processing the request until a security credential from the stakeholder is received verifying that the request is valid.

14. A computer system of a certificate authority for digitally signing software, the system comprising: a computer processor; and a non-transitory computer readable storage medium storing computer code configured to execute on the computer processor, the computer code when executed performs steps comprising: receiving a request from a software developer to digitally sign software included in the request; accessing a security policy associated with the software developer, the security policy describing criteria for valid requests by the software developer; determining whether the request is valid based at least in part on whether one or more of the criteria for valid requests is met; digitally signing the software responsive to the determination indicating that the request is valid; embedding reputation information associated with the digitally-signed software in a digital certificate, the reputation information indicative of which of the one or more criteria for valid requests that were met in the determination of whether the request is valid, the one or more criteria for valid requests comprising geo-locations from which valid requests are issued by the software developer; and providing the digitally-signed software and the digital certificate to the software developer.

15. The computer-system of claim 14 , wherein the computer code when executed performs further steps comprising: identifying conditions in which the request is received from the software developer; comparing the identified conditions to the criteria for valid requests described by the security policy of the software developer; determining whether the identified conditions of the request match the criteria for valid requests described by the security policy based on the comparison; responsive to the identified conditions of the request matching the criteria for the valid requests, determining that the request is valid and digitally signing the software; and responsive to the identified conditions of the request not matching the criteria for the valid requests, determining that the request is anomalous.

16. The computer system of claim 15 , wherein the computer code when executed performs further steps comprising: performing a security action responsive to determining that the request is anomalous, wherein the security action comprises contacting the software developer to confirm that the request is valid; and wherein the confirmation comprises receiving a security credential from the software developer.

17. The computer system of claim 15 , wherein the computer code when executed performs further steps comprising: responsive to receiving the request, contacting a stakeholder associated with the software developer to verify that the request is valid; and refraining from processing the request until a security credential from the stakeholder is received verifying that the request is valid.

18. The computer-implemented method of claim 1 , wherein the reputation information embedded in the digital certificate indicates a level of trustworthiness of the digitally signed software.

19. The computer-implemented method of claim 18 , wherein an execution of the digitally-signed software by a client device is based at least in part on the reputation information embedded in the digital certificate.

20. The computer-implemented method of claim 1 , wherein the reputation information embedded in the digital certificate specifies at least one condition in which the request is received from the software developer that matches one of the criteria for valid requests by the software developer.